We're trying to restrict access to a server by only allowing a limited number of hosts to access the server. It seems like it would be a pretty simple ACL, something like this (assuming the server is 10.10.10.100):
permit ip host 10.10.10.1 host 10.10.10.100
But where should we apply it? We'd planned to apply it on the interface that directly connects to the server, but it appears we can only apply it inbound on that interface (i.e. it would apply to traffic sourced from the server, inbound into the switch). So do we have to apply it to the VLAN on which the server resides, using it with a "permit ip any any" at the end to allow other traffic to flow freely over the VLAN?
We do not have very much to work with here. When you say that you added extra lines does that mean that you went into config mode and input the lines shown in your post? If so than probably the issue is that IOS adds additional lines to an existing access list at the bottom of the existing access list. And since the existing access list ended with permit ip any any, then any lines that you add below that will have no effect.
If that does not seem to explain your issue then I suggest that you post the relevant parts of the configuration as it exists. And a better explanation of what is not working would also help. Is the issue that no one can get to host 10.10.10.200? Or is the issue that everyone can get to that host? Or what is not working as you expect it to?
Thanks for the additional information. Deleting the existing access list and then creating it again with the added statements is the correct way to change it. From a syntax perspective I would say that your access list is correct. So my next question is which restricted IP are you testing from? And is your test using the same restricted IP to access both of the servers?
The overall approach of Jon's access list is certainly correct. You want to permit the specific hosts that can access the server, then you need to deny all other access to the server, and then you need to permit everything else. But there is a significant flaw in its detailed implementation. The source addresses are in subnet 10.10.10 and the server destination is also in subnet 10.10.10. This means that the sources and the destinations are all locally connected. And we do not have any capability to restrict connections within the local subnet..
The approach that Jon suggests works well if the source addresses are in remote subnets and are attempting to access the server through the VLAN interface where the access list is applied. This access we can control very well with the access list. So my question to you now becomes are you testing from a device that is outside of the 10.10.10 subnet or from a device that is in the 10.10.10 subnet?
Question We run asr9001 with XR 6.1.3, and we have a very long delay to
login w/ SSH 1 or 2 to the device compare to IOS device. After
investigation, the there is 1s delay between the client KEXDH_INIT and
the server (XR) KEXDH_REPLY. After debug ssh serv...
Introduction The purpose of this document is to demonstrate the Open
Shortest Path First (OSPF) behavior when the V-bit (Virtual-link bit) is
present in a non-backbone area. The V-bit is signaled in Type-1 LSA only
if the router is the endpoint of one or ...
Hi, I am seeing quite a few issues with patch install and wanted to
share my experience and workaround to this. Login to admin via CLI, then
access root with the “shell” command Issue “df –h” and you’ll probably
see the following directory full or nearly ...